Google DNS: Oh How Deliciously Devious.

by David Klemke on December 7, 2009

One of my long time friends (and now work colleague) had a fantastic question to throw at people in interviews to see how they’d fair. It was in a category of questions that I’ve come to know as the “flail” type. There’s no real right answer to it and that’s the point, they’re designed to put you on the spot and see how you deal with it. The interviews he used this in was for a web administrator position and the question was simply: What is the Internet? Now you’ll get many wide and varied answers to that depending on the person’s background and level of expertise. At the same time you get to see their thought processes in motion, something which is invaluable when you’re hiring someone to deal with any and all of the obscure problems a high traffic web site can have.

Any good answer to this question should include at least a passing reference to the Domain Name System (DNS) which is responsible for translating human readable web addresses (like www.therefinedgeek.com.au) into machine readable numbers (150.101.112.123). Hosting a service like DNS is no small feat and as such only ISPs and some of the larger companies and government organisations. Google, who it seems won’t be satisfied until the Internet is renamed after them, have decided to offer up a free public DNS service to the world at large:

Today, as part of our ongoing effort to make the web faster, we’re launching our own public DNS resolver called Google Public DNS, and we invite you to try it out.

…

The average Internet user ends up performing hundreds of DNS lookups each day, and some complex pages require multiple DNS lookups before they start loading. This can slow down the browsing experience. Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users’ web-surfing experiences faster, safer and more reliable. You can read about the specific technical improvements we’ve made in our product documentation and get installation instructions from our product website.

Now the first thing that popped into my head when I thought this was that Google was basically saying “Hey, here’s another awesome free service” while holding back on the fine print of “we’re using this to make our advertising networks more desirable/profitable”. Indeed many of Google’s services track your usage of them and other applications whilst they’re running which is then data mined for all sorts of good stuff, usually around targeting advertising better. You really didn’t think all of Google’s stuff was free because they’re just nice guys did you?

However this doesn’t appear to be the case for the Google DNS service. Checking out their privacy policy reveals no direct links to their Adsense or Adword programs, nothing on data mining apart from that done to improve the service and overall the majority of the data is chucked out about 2 weeks after they gather it. I’m in 2 minds about this, the first being that internally they knew people would think this. Indeed this is supported by the amount of documentation they released right off the bat saying they’re not. If they did use this to augment their other services they would’ve been fighting a PR nightmare for a long time which would ultimately kill the service (something I’m sure they’d like to avoid). The second is that they’re forcing the hand of others to get off their hands and implement new features, like DNSSEC.

There’s been an increasing amount of talk about getting DNSSEC implemented on all the root servers. The original plan was to do one root server each month from December 1st until they were all completed. In my searches I haven’t actually come across any confirmation that this actually occurred (and my network knowledge is a bit lacking in the ability to actually check it) so Google might just be trying to show them how its done in the hopes they’ll pick up their game. Granted their service is not a root server and is non-authoritative for all domains it doesn’t host, but they’ve definitely shown its possible to implement such a system sooner rather than later.

The one thing that’s got me on tenterhooks about this is the fact that at their whim Google can change their terms of use for this service, opening up the data mine that they’ve cautiously stayed away from. It also makes me wonder if they might’ve had some connection with the L root server identity theft that happened at the start of last year since anyone malicious would’ve used that to do a whopping great deal of cache poisoning instead of providing a real DNS service. I’ll grant that’s a real stretch of the imagination, but Google was completely capable of performing such a feat.

In the end I’m still not going to use their service simply because to me, the end user, there’s no appreciable difference. Sure my queries might resolve a bit faster and be immune to some of the more exotic DNS attacks but as an Australian with not so spectacular Internet and relatively good internal security the cost of changing is greater than the benefit. Still kudos for Google for providing yet another free service.